Security Check: SIP Firewall Security

September 5th, 2017

When you’re looking at network security, have you given much thought to SIP firewall security? When small and midsized business owners consider making a move to SIP, they often focus on the wrong adjectives, such as fast, cheap, and easy.  Some providers intentionally attempt to cast a spell on their customers to accelerate the sales process, by creating the impression that SIP trunks can be installed and maintained without worrying about the general security risks associated with the internet.  They refuse to shoot straight when it comes to security.

Many SIP providers will tell you how SIP can be encrypted, and that each SIP message can be subjected to authentication requests. But encryption and authentication are only part of the SIP trunk security story.  Network security is of the utmost importance not only to businesses but to all Internet users. Encryption and authentication may be great, but what if the security threat is closer to home?

One of the core components of your net security detail is your firewall.  If you don’t know if your business has a firewall, or assume that it does but know little about it, it’s time for a security check.

Fortifying your Defenses

With packets of data continuously flooding into and out of your business, the modern firewall shares characteristics with your front door.  The door’s primary responsibility is to allow or block entry, with a lock on the handle and a deadbolt to keep unsavory intruders at bay.  It may also have a spy hole or security camera installed, so you can monitor who is on the doorstep, or even a chain so you can open it partway and have a conversation with a salesperson.  There may be a mail slot so the postman can drop off your bills, or even a pet door to allow your dog or cat to pass in and out of the house freely.  Each accessory acts as a port, allowing safe passage for designated items into and out of the home.

Firewalls play a similarly significant role in SIP trunk security since they can block unwelcome traffic and keep malicious hackers at bay while allowing SIP calls to flow through specified channels. But they’ve grown more complex over time in response to advances in technology and the sophistication of the attacks they are designed to ward off.

Types of Firewalls

Firewalls are often mistakenly lumped into the same category as anti-virus programs, but a firewall can be a hardware appliance or a software application.  The hardware devices are hooked up to the network and filter the incoming and outgoing data packets, based on the preferences of the administrator.  Firewall software is installed on the operating system of the computer, sifting and sorting the packets as they come in. However, along with protecting the network and keeping it free of unwanted packets, we need to perform a specialized type of translation that can be tricky with SIP firewall security.

Firewalls and Network Address Translation (NAT)

As we’ve discussed in previous articles, SIP calls are three distinct network connections:
  • The SIP connection which provides signaling
  • The incoming audio stream from the caller
  • The outgoing audio stream to the caller
If you have employees within your network, they will often have private IP addresses—which can’t be accessed directly by the internet—while sharing a single public IP address.  Network Address Translation, or NAT, is a method of remapping one IP address into another by changing the network address information. By replacing the caller’s private address with a public address, the call can be delivered to its destination.  When the response comes, a translation table is accessed to find the return address of the caller ensuring that the incoming stream can traverse the firewall and flow to the right device.

The incoming and outgoing audio streams use RTP, or Real-time Transport Protocol, to deliver the packets in those streams.  If there is a firewall between you and another caller, and the firewall doesn’t recognize the incoming stream, it will block it, producing one-way audio.  This means you won’t be able to hear them, though they may still hear you.

So, you must ensure that the firewall you have—or the firewall you’re considering—is SIP aware.  It’s equally crucial that the firewall is configured correctly because along with the issue of one-way audio, an incorrect configuration can cause low-quality calls and calls that don’t connect.

When configuring SIP firewall security, a business must think like a security guard and understand what is being allowed in and out of your private network. Many firewalls will let everything out because they trust your internal network while placing intense scrutiny on incoming traffic. The configuration allows passage through specific IP addresses, ports, and protocols, which is known as port forwarding.

What is Port Forwarding?

Port forwarding is an application of NAT that redirects a request from one address/port to another. Port forwarding allows your phone system’s IP address to communicate with outside IP addresses/ports defined by your firewall. Essentially, you’re opening a hole in your firewall and directing a certain type of traffic through that hole. Port forwarding needs to be done carefully because while you want RTP/UDP traffic to reach your IP-PBX, you don’t want to allow non-SIP—and possibly malicious—traffic in.

What needs to be port forwarded? Your carrier’s IP's, ports, and media since they all play a vital role in secure call connections and transmitting media between parties.  As an example, if your business were working with us for outbound calling, we would instruct you to:

  • Allow our IP 216.147.191.156 into your firewall on port 5060, and
  • Set the RTP/UDP range to the number of lines you need to manage the volume of calls you expect to have at any given time (simultaneous calls).
  • Disable SIP ALG. SIP ALG can cause any number of call problems in configurations with more than two lines, such as failed calls, mixed RTP streams, poor call quality, etc.
There are some solutions for SIP firewall security that will monitor port 5060, which is the SIP signaling port. Through pre-set rules and policies, only SIP traffic will be forwarded while other RTP/UDP traffic will be refused.

The Problem with SIP ALG

An application layer gateway, or ALG, is a proxy service that works in a similar manner as a doorman. They decide what incoming packets from common protocols like FTP, RTSP, and SIP, are allowed through. With SIP, when a connection is requested, the ALG receives it first, inspects the incoming packets, and then hands them off to the destination inside your network. Sounds secure, right? It is. But there are problems. The two most important criteria for SIP firewall security are security and sending/receiving calls. Losing one for the other isn't an option.

While SIP ALG is meant to make your network easier to secure, it is often poorly designed and implemented. Because SIP ALG inspects the SIP packets before they are delivered to the client, it can sometimes modify packets. SIP, like HTTP, is a text-based protocol, so any alteration in its syntax can cause errors. Consider what would happen if you removed the colon from the address https://www.voxtelesys.com. The connection would fail. The same is true for SIP. Any alteration of the SIP header can corrupt the packets and make them unreadable, causing a failure in communication.

Many firewalls and routers come with SIP ALG already enabled (NOTE: Cisco calls this SIP Fix Up). It is recommended to disable SIP ALG for proper SIP firewall security and operation,

How to Disable SIP ALG

Before you proceed, all network changes should be approved by the network administrator. Settings for SIP ALG are generally found in a router’s admin panel. However, every router is different and it is recommended to check your device's manufacturer support documentation. We have put together a list of common routers with links and instructions, which you can download here. If a specific router is not included, check the manufacturer’s support documentation.

SIP Providers and SIP Firewall Security

While SIP trunking grows in popularity, finding a stable and reliable network security solution is still challenging for SMBs.  Due to the various firewalls and the many providers in the field, most SIP providers don’t support firewalls.  Essentially, a business is responsible for its own SIP firewall security, including all updates and changes.  If you are unsure about configuring your firewall or are worried about security, we recommend hiring a network expert. This issue is too important to learn as you go.

With the right SIP firewall security, you can be assured the virtual front door of your business isn’t left open. Better yet, you won't lose call volume or call quality.

If you’re looking for more information on finding the right SIP trunking or end-to-end IP PBX solution for your business, click here.

Connect with Voxtelesys on Facebook, Twitter, or LinkedIn.

Security Check: SIP Firewall Security